2024 TON Ecosystem Panorama Observation and Security Research Report

1. Introduction

This report is jointly produced by TonBit, a subsidiary brand of the Web3 blockchain security audit company BitsLab, in collaboration with its partner TONX. With the continuous development of blockchain technology and the increasing application, the TON ecosystem continues to show strong rise momentum in 2024, attracting a large number of developers, investors, and users’ follow.

In 2024, the TON ecosystem continued to make significant progress in technological innovation, application implementation, and community building, further consolidating its position in the blockchain field. However, with the rapid development of the ecosystem, security issues have become increasingly prominent. In the face of evolving security threats, how to effectively prevent and respond has become an important issue for the TON ecosystem.

2.Overview of the TON Ecosystem

2.1 Introduction to the TON Ecosystem

Basic Introduction and Architecture

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, designed to build a fast, secure, and scalable blockchain platform that provides users with decentralized applications and services. By combining blockchain technology and Telegram’s communication features, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON has faster processing speeds and throughput, and adopts a Proof-of-Stake Consensus Mechanism.

2.2 Why Choose TON

When competing with the strong liquidity and community of Bitcoin and Ethereum, TON demonstrates unique advantages. The blockchain trilemma proposed by Vitalik Buterin describes the challenges Layer 1 networks face in balancing security, scalability, and efficiency. Bitcoin and Ethereum each have their pros and cons, but TON overcomes many of these challenges through its flexible and sharded PoS architecture.

2.2.1 Flexible and Sharding PoS Architecture

TON adopts an attestation consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by the chain’s flexible and sharding-capable architecture. This architecture allows for easy scalability without sacrificing performance. Dynamic sharding involves separately developed shards with their own purposes that can run simultaneously and prevent large-scale bottlenecks. The block time of TON is 5 seconds, with a finalization time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

● Mainchain: Responsible for handling all important and critical data of the protocol, including the addresses of the validators and the amount of coins being validated.

● Workchain: A secondary chain connected to the mainchain, containing all transaction information and various smart contracts; each workchain can have different rules.

2.2.2 Use Cases and Advantages

The TON Foundation is a DAO operated by the TON core community, providing various support for projects within the TON ecosystem, including developer support and liquidity incentive programs. In 2024, the TON community made significant progress in multiple areas:

● The launch of TON Connect 2.0: Provides an intuitive way to connect Wallets and applications, enhancing user experience.

● TON Verifier: A smart contracts checker created by the Orbs team that enhances the reliability of contracts.

● Blueprint Development Tool: Helps developers write, test, and deploy smart contracts.

● Sandbox Developer Toolkit: Suitable for a variety of use cases ranging from enterprises to governments.

● Tact Language BETA Version: Promotes a more powerful programming environment.

● TON Society Internationalization: Launched international centers in multiple cities around the world.

● Decentralized Finance Liquidity Incentive Program: Provide funding for projects to promote the sustainability of the TON DeFi space.

2.3 Overview of the Development Direction and Goals of TON in 2024

The development roadmap of TON includes many interesting plans, such as a stablecoin toolkit, sharding tools, and native bridges for BTC, ETH, and BNB.

● No Gas Fee Transactions: TON may subsidize Gas fees in certain situations to attract more users.

● Separation of Validator Nodes and Packing Nodes: This is a significant upgrade to TON’s scalability, aiming to onboard 500 million Telegram users by 2028.

● Elector and Configuration Contract Update: Allows users to vote on network proposals.

● TON Stablecoin Toolkit: Allows anyone to issue algorithmic stablecoins pegged to local fiat currencies.

● Jetton Bridge: Allows users to send TON tokens to other chains.

● ETH, BNB, and BTC Bridge: Launching the official bridge to bring major Crypto Assets to TON.

● Non-native Token: Allows TON users to create tokens similar to native ones.

3. Ecological Development Status

3.1 Ecological Overview

The TON Foundation’s official website showcases nearly 1,000 applications across a wide range of fields, such as Decentralized Finance (DeFi), gaming, social media, and utility applications. Through these projects, the TON Foundation demonstrates its leading position in the blockchain technology field and promotes innovation and the development of the ecosystem.

3.2 Key Metrics of the TON Ecosystem

As of July 27, 2024, the number of validating nodes on the TON chain is 383, with a total staked amount of over 590 million $TON, distributed across 29 countries. The daily active address count reached 373,000, a year-on-year rise of 5360%. The TON network’s Decentralized Finance ecosystem shows strong development momentum, with the number of unique users reaching 1,784,089 and a total value locked (TVL) of 706,307,873 USD, while the number of Liquidity Providers stands at 26,297.

3.3 How TON Can Become a Powerful Decentralized Gaming Platform

3.3.1 Main Reasons for Building Decentralized Games Based on TON

Developing decentralized games based on the TON blockchain offers a range of advantages for businesses and developers:

● Integration with Telegram: Provides access to over 900 million monthly active users.

● Powerful user acquisition and retention tools: Including Telegram App Center and advertising tools.

● Fast and Efficient Blockchain: Processes over 100,000 transactions per second while maintaining low fees.

● Diverse monetization opportunities: such as in-app advertising and tradable non-fungible Tokens.

● Simple and Accessible: Provides a complete set of tools for GameFi Web3 developers and players.

4.TON Ecosystem Security Research

4.1 How to Develop Securely on TON

To ensure the security of smart contracts, we need to take a series of security measures. Here are some key security practices in the TON ecosystem:

1. Access Control Description: When there are certain important logic or sensitive operations in a contract that require specific authorized users to execute, we should implement access control to prevent attackers from performing sensitive operations, thus causing serious damage.

Practice:

➢ Determine which operations require permission control.

➢ Access to operations requiring permission is restricted by verifying the sender of the message.

➢ Regularly review and update access control policies to accommodate changes in contract requirements.

Specific proposals can be referenced:

2. Verify Message Input Description: If there is a lack of proper validation or filtering of external inputs in smart contracts, it may lead to malicious users or attackers inputting harmful data, potentially resulting in unsafe behavior or vulnerabilities.

Practice:

➢ Strictly validate and filter all external inputs, including verifying data types, checking boundary conditions, and sanitizing user inputs.

➢ Consider all possible input scenarios, including edge cases and unexpected inputs.

➢ Regular audits and testing of input validation logic. 3. Check Gas Usage Description: When handling internal messages, the sender usually needs to pay the gas fee. When processing external messages, the contract covers the gas usage. This means caution is required regarding gas usage in external messages. The contract’s gas usage should always be tested to verify that everything operates as expected and to avoid vulnerabilities that could deplete the contract’s balance.

Practice:

➢ Monitor and optimize gas usage during the development process.

➢ Use gas limits to prevent high consumption operations.

➢ Regularly test the gas consumption of contracts under different scenarios. 4. Timestamp Dependency Description: The behavior of some smart contracts relies on block timestamps, which may be manipulated by validators. For example, validating nodes can selectively include or exclude certain transactions, or adjust timestamps to serve specific purposes. This behavior can lead to the manipulation of contract logic, resulting in security risks.

Practice:

➢ Avoid relying directly on block Timestamp for critical logic judgments.

➢ If a Timestamp must be used, please ensure to use a more reliable and uncontrollable method.

➢ Adopt a time buffering mechanism that allows time to vary within a certain range, reducing reliance on a single point in time.

➢ Regularly review contract logic to ensure it is not affected by Timestamp manipulation. 5. Integer Overflow Description: Integer overflow and underflow are arithmetic operations that exceed the representational range of the variable, leading to incorrect calculation results. Integer overflow typically occurs in operations such as addition, subtraction, and multiplication. If not controlled, it can lead to serious security issues, such as incorrect balance calculations or unintended fund transfers.

Practice:

➢ Use a secure mathematical library to handle integer operations.

➢ Add overflow checks before and after all mathematical operations.

➢ Regularly audit the contract code to ensure that all integer operations are protected. 6. Rounding Error Description: Rounding error risk refers to the inaccuracies in calculation results caused by limitations in precision during numerical operations or improper rounding methods. This risk can lead to financial losses or unfair distribution, especially when dealing with currency or high-precision numbers.

Practice:

➢ Use high-precision numeric libraries or fixed-point libraries to handle currency calculations.

➢ Regularly test and verify numerical computation logic to ensure accuracy meets expectations.

➢ Clearly specify the rounding method in the code to ensure consistency. 7. Denial of Service Description: The risk of denial of service refers to the consumption of the computational resources of smart contracts or the triggering of erroneous conditions, leading to the inability of the contract to execute normally or becoming stuck in endless operations. This may prevent legitimate users from interacting with the contract and even hinder the updating of the contract’s state.

Practice:

➢ Limit the number of iterations or recursion depth to avoid long-running operations.

➢ Check the remaining gas before key operations to avoid transaction failures due to insufficient gas.

➢ Regularly review and optimize contract logic to ensure efficiency and reliability.

➢ Use event logging to record important operations for easier troubleshooting and recovery. 8. Business Logic

Description: Business logic vulnerabilities refer to design flaws or implementation errors in smart contracts that result in abnormal behavior under certain circumstances during the execution of their business processes. These vulnerabilities may be exploited by malicious users, leading to serious consequences such as financial loss, data tampering, or the failure of contract functions. Business logic vulnerabilities are typically not coding errors but rather misunderstandings or incomplete implementations of business requirements and processes.

Practice:

➢ Deeply understand and analyze business requirements to ensure logical design is correct.

➢ Conduct regular code audits and logic validations to promptly identify and fix vulnerabilities.

➢ Write comprehensive test cases that cover all possible business scenarios.

Through the above security practices, we can greatly enhance the security of smart contracts, drop risks, ensure the stable operation of contracts, and protect users’ funds.

4.2 TON Ecosystem Security Incident Review

In 2024, multiple security incidents occurred within the TON ecosystem, revealing challenges related to its security. Below is a detailed description of some significant events, an analysis of the causes, impacts, and solutions, as well as a review of some typical security vulnerabilities.

1.The stake contract of a certain protocol was attacked, resulting in significant Token losses

Time: May 22, 2024

Loss Amount: /

Root Cause: Parameter configuration error

Description:

After celebrating the prosperous staking event of the TON ecosystem, a staking contract of a certain protocol was attacked by a hacker due to a configuration error in the protocol parameters, resulting in a large number of tokens being stolen from the contract. After the incident, the project party immediately suspended the staking reward claiming feature and allocated a large amount of $USDT to repurchase the lost 307,264 tokens.

After the attack occurred, the project party quickly contacted TonBit for an audit. TonBit demonstrated its professionalism, responded swiftly, and assembled a team of security experts to conduct a comprehensive and detailed security audit of the project’s core code. TonBit’s security experts identified 6 low-risk issues and immediately communicated in detail with the project party team. With their rich experience and professional technical capabilities, TonBit not only provided specific solutions to the issues but also assisted the team in rapidly completing the fixes for all problems, ensuring the security and stability of the contract.

Issues related to configuration discovered by the TonBit audit:

Solution: Modify parameter configuration

2. Hackers use Wallets to display controllable comment information to mislead users

Loss Amount: 22,000 TON

Root Cause: The comment information displayed during wallet transactions may mislead users.

Description:

When handling transfer messages in TON, while comments can be added, some wallets have a potential misleading risk in their UI design when displaying these comments. This design flaw is exploited by hackers, who can manipulate the comment content of transfer messages to show false information to users during transactions, thereby committing fraud and causing users to make erroneous operations, resulting in financial losses.

Solution:

To address this issue, the Wallet application needs to add prominent annotations when displaying this information, reminding users that this content is not trustworthy. Additionally, the Wallet development team should improve the UI design to ensure the transparency and reliability of transaction information. At the same time, users also need to enhance their discernment skills and be cautious of suspicious transaction information.

Further Measures:

TonBit suggests that wallet development teams introduce a multi-layer verification mechanism when displaying transaction annotation information, such as source verification of the annotations to ensure the reliability of the information. Additionally, regular user education and the release of security tips can help users identify and prevent potential fraudulent activities. By combining technical measures with user education, the occurrence of such security incidents can be effectively reduced.

3. BookPad used a backdoored contract to scam funds and then executed a Rug Pull

Time: April 15, 2024

Loss Amount: 74,424 TON

Root Cause: BookPad ran away after siphoning user funds using a backdoor contract.

Description:

BookPad released a smart contract with a backdoor that is not open source and started a presale activity. After receiving sufficient funds, they used the backdoor in the contract to withdraw the funds and then quickly did a Rug Pull.

Solution:

To prevent similar incidents from happening again, users should collect as much information as possible about the project party before participating in any investment activities, and choose those that are Open Source and have undergone strict security audits.

TonBit suggests that users especially follow the following points:

2. Security Audit: Choose projects that have been audited by reputable security auditing firms. Security audits can identify and fix potential vulnerabilities in contracts, providing an additional layer of protection.

3. Project Background Investigation: Investigate the background of the project party, the credibility of team members, and their historical records. Project parties with high transparency and good reputation are more trustworthy.

4. Community Feedback: Follow the community’s feedback on the project, participate in discussions, and understand the project’s reputation and potential risks.

Further Measures:

TonBi suggests introducing stricter regulatory and review mechanisms within the TON ecosystem for new projects to undergo qualification audits to ensure compliance with safety standards. Additionally, a public contract code library could be established, where only audited contracts are allowed for use. This will significantly drop the risk of user funds being stolen and enhance the overall safety and credibility of the TON ecosystem.

5 How Users Can Stay Safe on TON and Telegram

With the rapid development of the TON and Telegram ecosystem, there are now over 38 million active accounts, and the increasing attention has also brought greater risks.

Scammers and malicious actors target the influx of newbie users, and even in the safest ecosystems, it is crucial to stay vigilant and understand potential risks. Here are the most common scams you need to pay extra attention to.

5.1 Common Scamming Tactics

1. Urgent help from a fren: Scammers impersonate frens or family members, urgently requesting funds. Be sure to verify their identity.
2. Phishing Websites: Fake sites that mimic real ones to steal login information. Check the URL and avoid clicking on unknown links.
3. Investment Eyewash: These eyecatchers are very common in the Crypto Assets space, promising high returns without proof. Do your due diligence; if it sounds too good to be true, it probably is an eyewash.
4. Fake Surveys: Offering rewards for participating in surveys to steal personal information. Avoid providing detailed information to unknown surveyors.
5. Fake Job Opportunities: Attractive job advertisements require personal information, downloading applications, or paying fees. Verify through official channels.
6. Classified Ad Eyewash: Fake ads direct you to a fraudulent Telegram bot to steal information.
7. Pump and Dump: A group manipulates crypto asset prices for profit, causing losses for others. Always research and verify investment advice.
8. Romantic eyewash: In online relationships, scammers ask for money or personal information. Be wary of requests for money from people you meet online.

5.2 Beware of the Toncoin Pyramid Scheme

Telegram’s support for the TON blockchain has unfortunately attracted some eyewash who are trying to exploit unsuspecting users. Here is a detailed analysis of the scam:

1. Setup: The scammer sends a link to an “exclusive profit-making plan,” appearing to come from a fren or contact. They lead users to join an unofficial Telegram bot, falsely claiming it is for storing Crypto Assets.
2. Investment: Users are instructed to purchase Toncoin through legitimate channels (such as Wallets, P2P markets, or crypto asset exchanges). This adds false credibility. Once purchased, users must transfer their Toncoin to the scam bot.
3. Accelerator: Victims are forced to purchase an “accelerator” through a separate bot, costing between 5 and 500 Toncoin. At this stage, users lose their Crypto Assets.
4. Recruitment: Scammers promote referral programs, asking users to create private Telegram groups and invite frens. They promise a fixed payment of 25 TON for each person referred, along with commissions based on the purchases made by the referrer.

In fact, this is a typical Pyramid Scheme. The scammer makes money while others lose their investment principal.

5.3 How to Avoid Online Scams

To protect yourself from online scams and ensure the security of your Telegram account, please follow these basic steps:

1. Enable two-step verification for Telegram: Go to “Settings > Privacy and Security > Two-Step Verification” to add an extra layer of security to your account.
2. Verify Contacts: Be cautious of unsolicited messages, especially those requesting personal information or funds. Confirm the sender’s identity through other means.
3. Regularly check Telegram account activity: Go to “Settings > Devices > Active Sessions” to check if there are any unknown devices or sessions on your account.
4. Report Suspicious Activity: If you encounter fraudulent behavior, please report it to Telegram.
5. Avoid get-rich-quick schemes: Be wary of these schemes, even if they are recommended by fren or family, as they may also be victims.
6. Do not transfer Crypto Assets to unknown Wallets: Always verify the recipient’s identity before transferring Crypto Assets to avoid being scammed.

Staying safe in TON and Telegram requires vigilance and awareness. By recognizing common scams and following these safety tips, you can protect your assets and personal information. Always verify sources, remain skeptical of deals that seem too good to be true, and only conduct transactions through official channels. Stay informed and cautious, and you can enjoy the benefits that TON and Telegram offer without becoming a victim of fraud!

6. Summary

The reason to choose TON lies in recognizing the ecosystem of Telegram itself. Deploying your Web3 project on TON can leverage Telegram’s massive user base, with over 700 million monthly active users. This integration provides a fertile environment for the prosperity of decentralized applications. TonBit is committed to providing comprehensive security guarantees for the TON ecosystem, helping projects achieve higher security standards and user trust. As the guardian of the TON ecosystem, TonBit will continue to strive to contribute to the development of blockchain technology.